Cyber War Pt 2: Unintended Consequences

This follow up to ‘Cyber War – Real Time View‘ delves slightly deeper, and examines the possibility of ‘unintended consequences’

Another view of attacks, again from security company Norse.

There are two important aspects regarding these images:

1. The people behind the attacks are not necessarily residing or even acting from the country the attacks appear to come from. As was noted last time, ‘this is a war without frontiers, uniforms, or even a clearly defined enemy’. Its important not to view this as one country versus another country type of war. It’s far more subtle than that.

2. The map mainly serves so show the scale and type of the attacks as monitored by Norse. It is not a complete picture of all worldwide threats. It under-reports because it doesn’t include attacks on sites that aren’t monitored by Norse. Other security companies will have similar maps that aren’t publicly available. Without access to that data, the real scale of intrusion attempts cannot be accurately assessed.

Many of these attacks are simply about theft. Data is money, and attackers are looking to steal private data to sell on to willing buyers.

The theft from ‘Target Stores’ in 2013 involved 40 million credit cards, and 70 million customer details. It was estimated that between 1 to 3 million card details were sold on by the thieves, netting around $54 million

Target aren’t alone, these have been subject to a large scale loss of data in 2014;
Staples – 1.16 million cards, Michaels (retail chain) – 2.6 million cards, Home Depot – 56 million cards and 53 million email addresses, Sony – Theft of 5 unreleased films, and 47k Social security numbers (including 15k staff) many will full personal details, JP Morgan Chase – 76 million households and 7 million small businesses data, and New York’s Attorney General advised that over 8 years, 22.8 million private records were exposed.

However, its not always about theft.

Industrial espionage or malicious intent can be the motives, such as disrupting a company or organization’s operations, sometimes re-routing or delaying the logistics chain. There is also the example from 2013 where drug dealers hacked the Belgium Antwerp port computers, with the intent to smuggle drugs into the country.

Probably the most public malicious attack was the Stuxnet worm, (2008-2010). An infected USB stick delivered a payload intended to achieve a very specific result, and targeted only the Siemens devices that controlled the Iranian centrifuges used for uranium enrichment. It’s believed that 20% of the Iranian centrifuges were destroyed by Stuxnet.

The worm was later confirmed to be a joint USA / Israeli operation, and although achieving its objective, it wasn’t without problems. The worm was designed not to travel outside the the nuclear facility. However an error in the code allowed the worm to replicate and spread all over the internet. It was claimed that no ‘unintended consequences’ occurred as a result, but some reports suggest otherwise. The Russians claimed that their nuclear facility was infected with the worm and, in the UK, a French owned nuclear reactor unexpectedly shut down. EDF confirmed that the reactor also used Siemens controllers, but denied that the Stuxnet virus was involved. In a secret war, how would we ever know?

However, whatever the truth, it does appear that no catastrophic events occurred. Will we be so lucky the next time, when the people who design malicious code fail to grasp the significance of the unintended consequences of their work?

This attack highlighted how unprepared countries and organisations are to defend or respond to such action. It also showed how catastrophic unintended consequences might occur.

Most of all, it showed the potential of Cyber-warfare – the ability to collapse complex infrastructures.

Similar malware could cause havoc if allowed to infiltrate the computers in large corporations or infrastructure such as Power, Water or Communications.

This isn’t a war in which people are merely spectators. In many cases they are the players. Often the doors are left open by the users themselves.

A major retail chain suffered a crippling attack last December, during a peak trading period. Despite having invested in an extensive central security team, it transpired that a senior director had download porn onto his work computer and unwittingly introduced the malware into his business.

Many intrusions occur because an individual had a lapse with their own security. One intrusion technique is APT (Advanced Persistent Threats) where a specific individual is identified, and then repeatedly targeted with the expectation that eventually one intrusion will be successful.

‘Security should be viewed as a shared responsibility that reaches well beyond the traditional view of it residing in a single department.’ …Senior Director NTT Com Security

This should be the standard thinking, but it’s far from it.

Security is not ‘configure and forget’. It requires constant monitoring and user interventions. Often the simple solutions are most effective.

Around 60% of attacks on web applications in the UK are ‘SQL injection‘, typically exploiting known vulnerabilities in software. It’s not reported how many are successful, but since NTT Com Security research shows that 76% of known vulnerabilities identified in Businesses were over 2 years old, its not hard to see why they are so popular with attackers. The simple act of regularly updating operating systems and applications would block them.

Everyone has responsibility for computer security.

When the lights go out, or communications fail, or water fails to run out of the tap, it’s quite possible that someone, somewhere enabled the malware intrusion by downloading some forbidden file onto their PC without first considering the possible ‘unintended consequences’.

That might be all it takes.